Teen charged in Heartbleed privacy breach at CRA

The Canadian Press
Published Wednesday, April 16, 2014 2:47PM EDT
Last Updated Wednesday, April 16, 2014 8:48PM EDT

OTTAWA -- Police have charged a 19-year-old man from London, Ont., in connection with the loss of taxpayer data from the Canada Revenue Agency website.

Stephen Arthuro Solis-Reyes was arrested at his residence Tuesday and is charged with unauthorized use of a computer and mischief in relation to data, the RCMP said Wednesday.

A search of the residence resulted in the seizure of computer equipment.

Solis-Reyes is a computer science student at Western University, a spokesman for the university said. He is scheduled to appear in court in Ottawa on July 17.

The Canada Revenue Agency was forced to shut down its publicly accessible website Friday as the world learned about the Heartbleed computer bug, a previously undiscovered global Internet security vulnerability.

Other government computer sites were also temporarily taken down over the weekend.

On Monday, the agency said 900 social insurance numbers had been compromised.

The loss was detected Friday, but the agency delayed telling Canadians about it at the request of the RCMP.

The police said the delay allowed them to pursue their investigation through the weekend and helped track down a suspect.

"The RCMP treated this breach of security as a high priority case and mobilized the necessary resources to resolve the matter as quickly as possible," said Assistant Commissioner Gilles Michaud.

"Investigators from National Division, along with our counterparts in O Division, have been working tirelessly over the last four days analyzing data, following leads, conducting interviews, obtaining and executing legal authorizations and liaising with our partners."

The fact police were able to follow the trail back to the alleged hacker -- let alone so quickly -- speaks to his level of experience, says an Internet security expert.

"They were not a very sophisticated attacker. Any attacker worth their salt would have been covering their track a lot better than that," said Mark Nunnikhoven, vice-president of cloud and emerging technologies at the software security firm Trend Micro.

"So you see in a movie, you know when they're trying to trace a call and they bounce it off a bunch of different satellites and such? That's what you would do as an attacker, making it very difficult to track you back."

The Heartbleed bug is caused by a flaw in OpenSSL software, commonly used on the Internet to provide security and privacy. The bug has affected many global IT systems in both private- and public-sector organizations and has the potential to expose private data.

Nunnikhoven explained how a security company was able to show how someone could steal private keys from a server using the Heartbleed bug.

"The best example of this bug being exploited publicly was a security company called CloudFlare set up a server that was vulnerable on purpose and put out a challenge to the security community and said, 'Hey, can you guys grab the private key?' which is the piece of information on the server that makes secure communications possible," Nunnikhoven said.

"And the way the researcher who succeeded did it was they sent a whole bunch of these Heartbleed requests and gradually pieced back together that server's memory.

"So essentially every time they made a request, they got a piece of the puzzle. They were just super patient and pieced back together that puzzle."

The revenue agency has said it will notify everyone involved in the security breach by registered letter and will offer access to credit-protection services.

Because of the five-day shutdown of its E-file and Netfile services, the revenue agency has effectively extended the tax filing deadline for the same length of time.